bar311.exe


A pretty annoying malware.

I share this laptop with my siblings. Of course we all do not have the same consciousness with regards to malwares, virus, etc. TO my surprise, after my brother used my laptop, i wasn’t able to use the Windows XP’s command prompt again… or at least the cmd.exe prompt. Whenever I would open a command prompt box, a shutdown window will appear, then my laptop will shutdown. It reminds me of an old worm. Running notepad was ok though. So I checked out of my theory was right.

I fired up noted, typed in shutdown -a, then saved the file as test.bat. Sure enough, after double-clicking the .bat file, the shutdown message will appear. But because of the shutdown -a command in the batch file, it will abort the shutdown process.

Checking the Task Manager, i could see a bar311.exe as one of the running processes, an immediate trail of the annoying malware.

Next thing was to check for hidden files. The folder options must be something like this:

image

But I saw mine as:

image

When I change the settings, it always reverts back to that setting. Something is really fishy.

I had to do something.

I started by killing the bar311.exe process using the Task Bar.

Then enable the Folder Options settings using Regedit

[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced]
“Hidden”=dword:00000001
“HideFileExt”=dword:00000000
“ShowSuperHidden”=dword:00000001

Still using Regedit, search for all traces of the string bar311.exe.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=”userinit.exe,bar311.exe” —> remove “, bar311.exe”

Looking at the registry key

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]

reveals an interesting find. pc-off.bat. Must be the source of the shutdown command.

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
“autorun”=”c:\Windows\pc-off.bat”

remove “c:\Windows\pc-off.bat” or delete the autorun key.

Must also be where bar311.exe is located. Need to create another batch file.

Opening notepad, type the following:

@echo off
del /a /f c:\windows\bar311.exe
del /a /f c:\windows\pc-off.bat
pause

save the file as remover.bat on the desktop then double-click on its icon to run.

Reboot.

Whew!

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: